[SOLVED] Failed login with Active Directory authentication

[larsen]

When a user tries to login with AD credentials, he only gets "Failed login" and in /var/log/daemon.log I see this:

Mar  1 17:31:38 atl-vm03 pvedaemon[1695423]: authentication failure; rhost=::ffff:192.168.120.52 user=jdoe@ActiveDirectory msg=Connection reset by peer

I found several other threads about problems with Active Directory authentication but those didn't fix our problem.

Deactivating SSL for test purposes causes this:

Mar 02 15:27:51 atl-vm03 pvedaemon[1695423]: authentication failure; rhost=::ffff:192.168.120.32 user=jdoe@ActiveDirectory msg=00002028: LdapErr: DSID-0C090276, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580

First DC is running Windows Server 2012 R2. TLS 1.2 is enabled.
Changing "MinProtocol = TLSv1.2" to 1.0 in "/etc/ssl/openssl.cnf" didn't help.

Using "ldap+starttls" as explained in https://bugzilla.proxmox.com/show_bug.cgi?id=2196 didn't help.

Couldn't find anything useful on the Windows server or in PVE logs.

Adding our second DC (also a Windows Server 2012 R2) as a fallback works around the problem, but to have redundancy, I need to fix the problem with the first DC.
Any idea what to look for or test?


Lars

 

[larsen]

Turned out the certificate was missing (probably deleted by accident). I recreated it and imported it into the "NTDS\Personal" certificate store (local computer store didn't work). Then I was able to connect again, no restart needed.

This thread helped in finding the cause.